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^ ■ Abstract 

We shall review the cellular automaton (CA)-based pseudorandom-number 
generators (PRNGs), and show that one of these PRNGs can generate high-quality 
Q ' random numbers which can pass all of the statistical tests provided by the National 

■ Institute of Standards and Technology (NIST). A CA is suitable for hardware imple 

mentation. We demonstrate that the CA-based stream cipher, which is implemented 
in the field-programmable gate arrays (FPGA), has a high encryption speed in a real 
-time video encryption and decryption system. 
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1 Introduction 

Many secret key cryptosystems have been proposed thus far [1] . One of the advantages of a stream cipher 



^ . over a block cipher is its high encryption speed and smaU gate size when it is implemented in hardware. 



Therefore, a stream cipher is suitable for developing high-speed and low-power encryption systems. There 
will be an increase in demand for the development of faster encryption associated with high-resolution 
' video, high-volume data retrieval, and other high-speed data communication systems such as 10 Gbit 

networks. Thus, in various fields, a hardware-like stream cipher is now requested for real-time encryption 
and decryption. 

In this paper, we propose a CA-based PRNG used for a stream cipher which is suitable for hardware 
implementation because of its simple construction (i.e., locality of interaction and homogeneous units) [2]. 
A one-dimensional elementary cellular automaton (EGA) consists of a line of cells with Si = or 1 for 
i = 0, 1, 2, • ■ • , A^. These cell values are updated in parallel in discrete time steps according to a fixed rule 
of the form, 

^i^i-l^ ^i^ ^i+l) (1) 

where S* denotes the i cell value at time t. Wolfram firstly used the EGA as a PRNG, and investigated 
its randomness [3]. He concluded that the following 'rule 30' is the best PRNG among the EGA rules, 

qt+l _ qt ff, C"* ff, (p. qt qt /r,\ 
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where © denotes plus modulo 2. He also proposed the CA-based stream cipher using this ECA30 [4]. 
It is known that ECA30 has large periodic cycles. The maximum period is 2°-^^ with systems size A''. 
Most configurations fall into the cycle if wc set the system size sufficiently large. Now, Wolfram also 
emphasizes that ECA30 is the 'origin of randomness' in his new book [5]. 

On the other hand, additive CA-based PRNGs, such as rule 90, rule 150, rule 105, and rule 165,^ have 
been proposed by Hortcnsius ct al. [6, 7], Nandi and Chaudhuri [8, 9], and Tomassini ct al. [10, 11, 12]. 
Tomassini has proposed that rule 165 is the best PRNG among the EGA rules. Moreover, GA with rule 
90, rule 105, rule 150, and rule 165 is the best PRNG among the inhomogeneous GA rules. This is because 
Tomassini ct al evaluated the randomness using the results of the Diehard test suite [13] which docs not 
have a linear complexity test. We originally found that these GAs do not pass the linear complexity test 
which is one of the NIST statistical tests [14]. The linear complexity test is crucial for the application 
of a PRNG to a cryptosystem because this test detects whether the prediction is possible. It is also 
known that linear CA is equivalent to the linear feedback shift register of the same size even if we use 
these rules inhomogeneously [15, 16]. In fact, Nandi and Ghaudhuri proposed an additive GA-based block 
cipher with nonlinear transformations [17] after realizing this point [18, 19]. Mihaljevic and Gattell also 
independently proposed additive CA-based cryptosystems [20, 21, 22, 23]. 

Guan et al. proposed a new class of CA (controllable CA and two-dimensional GA with an asymmetric 
neighborship), and investigated their randomness using the Diehard test suite [24, 25]. In this paper, 
we investigate the randomness of sequences generated by nonadditive GAs, that are ECA30 and its 5- 
neighbor extension (rule 535945230 in 5-neighbor CA framework), using the statistical test suite provided 
by NIST, and compared them with some good PRNGs (AES, SHAl, and MUGI). After wc show the 
hardware implementation of these GAs in FPGA, we demonstrate that these GAs have a high encryption 
speed in experiments of real-time video encryption and decryption systems. 

2 Randomness Evaluation 

Randomness is one of the crucial points for a keystream of secure stream ciphers. Although various types 
of statistical test for randomness have been proposed thus far [13, 26, 27], we will focus on the NIST 
statistical test suite [14] , and will show the results of this test suite. 

2.1 On NIST statistical test suite 

The NIST statistical test suite is a statistical package consisting of 16 tests that were developed to 
test the randomness of arbitrary long binary sequences produced by cither hardware or software-based 
cryptographic random- or pseudorandom-number generators. These tests focus on different types of non- 
randomness that could exist in a sequence. The 16 tests are listed in Table 1. Note that the test settings 
of discrete fourier transform test and Lempel Ziv compression test are wrong [28]. So, in what follows, 
we use the corrected version of the test suite [29] . 

For each statistical test, a set of P-values, which corresponds to the set of sequences, is produced. 
Each sequence is called success if the corresponding P-value satisfies the condition P- value > a, and is 
otherwise called failure. For a fixed significance level a, 100a % of P-values are expected to indicate 
failure^. For the interpretation of test results, NIST adopts the following two approaches, 

(1) the examination of the proportion of success sequences (success rate) 

If the proportion of success sequences falls outside of the following acceptable interval, there is evidence 
that the data is nonrandom. 



Here, R= 1 — a and m is the number of sequences. This interval is determined to be in the 99.73% range 
of the normal distribution which is an approximation of the binomial distribution under the assumption 
that each sequence is an independent sample. 

^Rules of linear CA have only XORs, and rules of additive CA have only XOR and XNOR. 

^AU the statistical tests of the NIST statistical test suite have the unique significance level a = 0.01. 
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Table 1: List of the NIST Statistical Tests 



Number 


Test Name 


1 




2 


Block Fr(HiU(>ucy 


3 


Runs 


4 


Longest Run 


5 


Binary Matrix Rank 


6 


Discrete Fourier Transform 


7 


Non-overlappine; Template Matching 


8 


Overlapping Template Matching 


9 


Universal 


10 


Lempel Ziv Compression 


11 


Linear Complexity 


12 


Serial 


13 


Approximate Entropy 


14 


Cumulative Sums 


15 


Random Excursions 


16 


Random Excursions Variant 



(2) the examination of the uniformity of the distribution of P-values 

This examination is accomplished by computing the following value. 



2 ^{Fi- m/10) 



X 



Here, Fj is the number of P-values in subinterval [(i-l)*0.1, i*0.1), and m is the number of sequences 
(sample size). The P-value of P-values is calculated such that P'-valuc = igamc (9/2,x^/2), where 
igamc(n,x) is the incomplete gamma function. If P'- value > 0.0001, then the set of P-values can be 
considered to be uniformly distributed. 



2.2 Test results 

In this subsection, we show the results of the NIST statistical test suite for several PRNGs. For each 
statistical test, the two analyses described above are executed, and evaluated whether the set of sequences 
passes the test. We used 1000 samples of 10^ bit sequences for each test. Consequently, 10 (keys) x 1000 
(sample) x 10^ (sequence) bits are used for each test in order to investigate the difference in results 
between different keys'^. The input parameters that we used are listed in Table 2. In the CA case, 
we used the cell values {Sf} with a fixed cell number i as a keystream, and also used the system size 
N = 1000 and periodic boundary condition. 

Results of ECA30 

Table 3 shows the results of ECA 30. While all tests are passed in the best cases (key 4, key 5, key 
7 and key 10), the runs test (number 3), the non-overlapping template matching test (number 7), the 
random excursions test (number 15), and the random excursion variance test (number 16) fail in the 
worst case (key 1). The success rates of the worst case (key 1) and of the best case (key 4) are shown 
in Figure 1. Solid lines denote the acceptable interval specified by eq.(4). As we can see, some tests 
have many success rates. For example, the non-overlapping template matching test (number 7) has 148 
success rates because one success rate corresponds to one-template (nonperiodic pattern consisting of 9 
bits) matching. If at least one success rates is out of the acceptable interval, then the test fails (see key 
1 case). 

^The key is the initial configuration {S*""} in the CA case. 
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Table 2: Parameters used for the NIST Test Suite 



Test Name 


Block Length 


Block Frequency 


20,000 


Non-overlapping Template Matching 


9 


Overlapping Template Matching 


9 


Universal (Initialization Steps) 


7 (1280) 


Linear Complexity 


500 


Serial 


10 


Approximate Entropy 


10 



Table 3: Results of ECA30. Pass denotes a set of sequences that passed all 16 tests. The other numbers 
denote the failed test number listed in Table 1. 



Key 


Success Rate 


Uniformity 


1 


3, 7, 15, 16 


pass 


2 


15, 16 


pass 


3 


7 


pass 


4 


pass 


pass 


5 


pass 


pass 


6 


7 


pass 


7 


pass 


pass 


8 


7 


pass 


9 


8 


pass 


10 


pass 


pass 



1.02 
1.01 
1 

0.99 
0.98 
0.97 



0.96 



1 2 3 4 5 6 7 



9 10 11 12 13 14 15 16 17 




Figure 1: Success rates of ECA30 for 16 tests. Key 1 and key 4 cases are shown in up and down figures, 
respectively. Solid lines denote the acceptable interval (eq.(4) with a = 0.01). 
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Table 4: Results of ECA30 with rotation shift (11 cells) 



Key 


Success Rate 


Uniformity 


1 


pass 


pass 


2 


pass 


pass 


3 


7 


pass 


4 


7 


pass 


5 


pass 


pass 


6 


7 


pass 


7 


pass 


pass 


8 


7 


pass 


9 


7 


pass 


10 


pass 


pass 
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Figure 2: Success rates of ECA30 with rotation shift (11 cells). Key 9 and key 10 cases are shown in up 
and down figures, respectively. Solid lines denote the acceptable interval (eq.(4) with a = 0.01). 
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Table 5: Results of AES 



Key 


Success Rate 


Uniformity 


1 


pass 


pass 


2 


pass 


pass 


3 


15 


pass 


4 


pass 


pass 


5 


7 


pass 


6 


14 


pass 


7 


7,8 


pass 


8 


pass 


pass 


9 


pass 


pass 


10 


pass 


pass 



Table 6: Results of SHAl 



Key 


Success Rate 


Uniformity 


1 


pass 


pass 


2 


pass 


pass 


3 


7 


pass 


4 


7 


pass 


5 


pass 


pass 


6 


7, 15, 16 


pass 


7 


7 


pass 


8 


7 


pass 


9 


pass 


pass 


10 


pass 


pass 



We investigated the test results in the cases that we added rotation shift to ECA30 in each time step. 
Table 4 shows the results of ECA30 with rotation shift (11 cells). The success rates of the worst case 
(key 9) and of the best case (key 10) are shown in Figure 2. This time, all tests pass in the five cases 
(key 1, key 2, key 5, key 7 and key 10). It seems that the randomness of sequences is slightly improved. 
Although the non-overlapping template matching test fails in five cases, the number of templates whose 
success rate is out of the acceptable interval (but very close to the boundary) is only one or two. However, 
we found that rotation shift does not always improve the randomness of sequences effectively. 

Results of good PRNGs 

Tables 5, 6, and 7 show the results of AES (128 bit key, OFB mode), SHAl, and MUGI, respectively, 
in order to compare the results between ECA30 and them. As we can see, all tests are passed in six 
cases (AES), in five cases (SHAl), and in seven cases (MUGI), respectively. Note that the SHAl case is 
the same frequency as the ECA30 with rotation shift (11 cell). 

Results of 5-neighbor CA 

We can obtain the following equation if we consider two iterations of eq.(2), 
qt+l _ ct (p, qt ca qt a\ 

' ® ' ® (6) 

qt qt qt ^ qt qt qt 

•-"i-l ' "^i+l ■ '-'i+2 'Ji • 'Ji+1 ■ Ji+2 

This is equivalent to rule 535945230 in the 5-neighbor CA framework [5]. We have investigated the 
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Table 7: Results of MUGI 



Key 


Success Rate 


Uniformity 


1 


7 


pass 


2 


pass 


pass 


3 


pass 


pass 


4 


pass 


pass 


5 


7 


pass 


6 


pass 


pass 


7 


pass 


pass 


8 


pass 


pass 


9 


7 


pass 


10 


pass 


pass 



Table 8: Results of CA5-535945230 with rotation shift (11 cells) 



Key 


Success Rate 


Uniformity 


1 


pass 


pass 


2 


7, 12 


pass 


3 


pass 


pass 


4 


pass 


pass 


5 


7 


pass 


6 


pass 


pass 


7 


pass 


pass 


8 




pass 


9 


pass 


pass 


10 


7 


pass 



randomness of sequences generated by some class of 5-neighbor CA rules. We found that rule 535945230 
is the best. 

Table 8 show the results of CA5-535945230 with rotation shift (11 cells). We use one cell S] (fixed 
i) as a keystream at each time step as well as ECA30 cases. As we can see, all tests are passed in six 
cases. This is the same frequency as AES. We can conclude that the CA5-535945230 with rotation shift 
(11 cells) has good randomness, which is comparable to well-known good PRNGs such as AES, SHAl, 
and MUGI. 

2.3 Security discussion 

It is known that ECA30-based stream cipher which was proposed by Wolfram has a security problem. 
If we use two consecutive cell values {Si, /Sj+i) as a keystream at each time step, an attacker can easily 
calculate the secret key (initial configuration) from the keystream using the following equation which is 
the same equation as eq.(2). 

In order to avoid this, Wolfram proposed that we should use only one cell value (Si) as a keystream at 

each time step. He suggested that an attacker cannot easily calculate the secret key from the keystream 
in this case (exponential time is required). However, the effective key size is much less than N even in 
this case [30] . We should set system size N = 2000 in order to set the effective key size to more than 80 
in this Wolfram case. 

In order to avoid this attack, we sample cell values such that the distance between consecutively 
sampled cells becomes larger (e.g., cell numbers 1, 7, 14, 22, 31, 41, • • •, 932, 976 are sampled for 40 bit 
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S''= S|,XOR (S| OR ij 



Figure 3: Sampled cells in CA5-535945230 case 
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Figure 4: Success rates of ECA30 with sampling method for two different keys 



per clock), and rotation shift (11 cells) is added at each time step. As a result, wc sample cell values 
which are denoted as shaded cells in Figure 3 in the CA5-535945230 case if we consider the 3-neighbor 
CA framework. In this case, the attack mentioned above no longer applies directly. It is difficult to 
calculate the secret key from the kcystream (shaded cells) using eq.(7). If someone could find another 
attack, the effective key size would be improved as compared with the Wolfram type. 

The keystream using this sampling method also has high-quality randomness. The success rates of 
the ECA30 case and CA5-535945230 case are shown in Figure 4 and Figure 5, respectively. As we can 
see, all tests are passed except the non-overlapping template matching test (for one template). Note that 
the linear complexity test is also passed even if we choose the maximum parameter M = 5000 in both 
cases. 

It is well known that statistical characteristics of the keystream are just a component of the security 
evaluation of a stream cipher. In this paper, we propose an encryption approach based on CA with 
desirable statistical characteristics and implementation suitability, but that its detailed security evaluation 
is out of our scope (and that this issue is an open one). 
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Figure 5: Success rates of CA5-535945230 with sampling method for two different keys 
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Figure 6: DDR-SDRAM evaluation boards 



3 Hardware Implementation 

Figure 6 shows a schematic of DDR-SDRAM evaluation boards produced by Tokyo Electron Device Ltd. 
There are video input and output (40 bit per clock), FPGA (VirtexII), and low voltage differential signal- 
ing (LVDS) on this board for the purpose of real-time video encryption and decryption. We implemented 
the CA-based stream cipher on two FPGAs (see Fig. 7), and executed the experiment of real-time video 
encryption and decryption (see Fig. 8). 



3.1 Implementation results 

Table 9 shows the implementation results for the system size N = 1000 case. As we can see, both 
algorithms work up to a high clock frequency because of their simple construction. In the CA5 case, 
randomness and security level are higher than those in the ECA30 case although encryption speed and 
gate size arc lower. If wc set the system size N larger, the encryption speed becomes higher. On the 
other hand, if we set the system size N smaller, the gate size becomes smaller although we have shown 
only the system size N = 1000 case. Actually, we realized a 1 Gbps encryption speed because the board 
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Tabic 9: Implementation results 





ECA30 


CA5 


gate size (gate) 


14699 


20699 


max clock frequency (MHz) 


105.83 


75.55 


encryption speed (Gbps) 


4.23 


3.02 
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we used in the real-time encryption and decryption experiment has a 27 MHz clock frequency. 



4 Summary 

We have reviewed the cellular automaton-based PRNGs, and have shown that one of these PRNGs, 
which was denoted as CA5-535945230, can generate high-quality random numbers which can pass all of 
the NIST statistical tests. We demonstrated that the encryption algorithm using the CA-based PRNG 
has a 3 Gbps encryption speed in the case of FPGA (20 Kgate used). This suggests that CA is suitable 
for developing a high-speed hardwarelike encryption system. 
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